httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45393] New: Apache returns 500 Error when no LDAP credentials are supplied
Date Mon, 14 Jul 2008 18:07:37 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45393

           Summary: Apache returns 500 Error when no LDAP credentials are
                    supplied
           Product: Apache httpd-2
           Version: 2.2.9
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: dstusynski@ptc.com


There seems to be an issue on Windows Apache 2.2.9 when compiled against the
MSSDK for LDAP. When a user accesses a authenticated resource and is prompted
for credentials, if they do not enter a username and password and instead hit
ok at the prompt, Apache returns a 500 error due to a filter error.

Excerpt from the Error Log:
[Mon Jul 14 11:16:04 2008] [debug] mod_headers.c(711): headers:
ap_headers_output_filter()
[Mon Jul 14 11:16:08 2008] [debug] mod_authnz_ldap.c(377): [client
132.253.10.108] [6488] auth_ldap authenticate: using URL
ldap://server:389/ou=people,cn=EnterpriseLdap,cn=app,dc=server,dc=subdomain,dc=domain,dc=com,
referer: http://server:10080/app/
[Mon Jul 14 11:16:08 2008] [warn] [client 132.253.10.108] [6488] auth_ldap
authenticate: user  authentication failed; URI /app/servlet/Navigation
[ldap_search_ext_s() for user failed][Filter Error], referer:
http://server:10080/app/

Taken from the Access Log:
132.253.10.108 - - [14/Jul/2008:11:16:08 -0500] "GET
/PDMPJL91/servlet/Navigation HTTP/1.1" 500 487 15625

I was slightly curious about this so I recompiled with a few lines of "random"
debugging to see what statements where firing and what some variables were
being set to in mod_authnz_ldap.c and util_ldap.c.

In mod_authnz_ldap.c's function static void authn_ldap_build_filter(...):
I added a logging statement in the 
if (sent_user != NULL) {
        user = apr_pstrdup (r->pool, sent_user);
to see what the user was being set to in the event this statement was
executing. Ther user was logged as "user=[]" and is clearly not NULL which I
expected since in fact the if(sent_user != NULL) was executing. I originally
didn't expect this statement to execute at all.

The filter eventually gets created by:
else
        filter = sec->filter;

and is set to the "objectclass=*" (my logs kick out filter=[objectclass=*]).
>From a quick glance that appears to be a valid filter for the MS
ldap_search_ext_s API.

Then when authn_ldap_check_password function gets executed I originally
expected the request to error out on the password=NULL and/or the username=NULL
check, however, these did not execute. I guess that means the empty user/pass
is an empty string as opposed to NULL.

In util_ldap.c the statement:
result = ldap_search_ext_s(ldc->ldap,
                               (char *)basedn, scope,
                               (char *)filter, attrs, 0,
                               NULL, NULL, NULL, APR_LDAP_SIZELIMIT, &res);

in results error code being Filter Error from the logs.

For sanity sake, I tested with Firefox and IE to rule out any odd IE quirk. 

Is this an Apache issue not handling the blank user/pass credentials properly?


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message